Merge branch 'B11134_Set_samesite_header_for_cookies' into 'develop'

B11134 Samesite header for cookies See merge request !406

Merge branch 'B11134_Set_samesite_header_for_cookies' into 'develop'
f0e25a5a · Carsten Rose · 31743295 · 3d3e283b · f0e25a5a
Commit f0e25a5a authored 3 years ago by Carsten Rose
--- a/extension/Classes/Core/Store/Session.php
+++ b/extension/Classes/Core/Store/Session.php
@@ -51,15 +51,15 @@ class Session

            $path = $this->getSitePath();

-            $secure = true; // if you only want to receive the cookie over HTTPS
-            $httponly = false; // prevent JavaScript access to session cookie
+            $secure = false; // if you only want to receive the cookie over HTTPS
+            $httponly = true; // prevent JavaScript access to session cookie
            $samesite = 'lax';

            // Needed expire date for header() method
-            $date = date("D, d M Y H:i:s",strtotime('1 January 2024')) . 'GMT';
+            $expireDate = date("D, d-M-Y H:i:s", strtotime('+2 days')). ' GMT';

            if(PHP_VERSION_ID < 70300) {
-                session_set_cookie_params($lifetime, $path.'; samesite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
+                session_set_cookie_params($lifetime, $path.';SameSite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
            } else {
                session_set_cookie_params([
                    'lifetime' => $lifetime,
@@ -81,6 +81,8 @@ class Session

            // Currently, setcookie() is only called to really extend the lifetime. All other parameter needs to be given again.
            // For PHP Version < 7.3 cookie with samesite can only be set over the header() method.
+            // Secure is actually set to false because of testing instance, otherwise SIP cant get requested without HTTPS.
+            // Setup for Secure-> true : 1. Change value of $secure from false to true. 2. Write String "Secure;" after "HttpOnly;" in header() function below.
            if(PHP_VERSION_ID < 70300) {
 // header() here makes no senss, cause it's to late: T3 already sent some non header content.
 //                header("Set-Cookie: ".SESSION_NAME."=".session_id()."; expires=".$date."; path=".$path."; domain=".$currentCookieParams['domain']."; HttpOnly; SameSite=Lax");
@@ -88,16 +90,14 @@ class Session
                setcookie(SESSION_NAME, session_id(), [
                    'expires' => time() + $lifetime,
                    'path' => $path,
-                    'domain' => $currentCookieParams['domain'],
-                    'secure' => $secure,
                    'httponly' => $httponly,
-                    'samesite' => 'Lax',
+                    'secure' => $secure,
+                    'samesite' => 'Lax'
                ]);
-
            }

            // Old way to set cookie without samesite - samesite is needed later
-            // setcookie(SESSION_NAME, session_id(), time() + $lifetime)
+            //  setcookie(SESSION_NAME, session_id(), time() + $lifetime, $path, $currentCookieParams['domain'], $currentCookieParams['secure'], true);

            self::$sessionId = session_id();
        }